Wednesday, June 25, 2014

0day market conspiracy theories

So here’s the deal about the 0day market: it’s all a big conspiracy theory. It’s like when the military was testing the stealth fighter over Area 51 and people thought it was space aliens. Yes, it’s true that the military was covering up something, but rather than aliens it was something more normal. The same is true of the 0day market: it’s not that it doesn’t exist, it’s just that everyone has created a conspiracy theory about it that is largely unrelated to reality.

I mention this because of a recent Stanford undergraduate paper arguing for the outlawing of 0day. It’s pure conspiracy theory, citing innuendo as fact.

For example, when talking about Heartbleed, the paper’s author says “Experts wondered whether this vulnerability resulted from coding mistakes or was deliberately inserted, perhaps by a government intelligence agency”, citing Bruce Schneier as the source. The word “wondered” means “wondered”. Schneier has no reason to think this, he has no evidence, there’s no reason to give his idle musings any weight. As a well know expert, I have wondered on Twitter if Heartbleed was caused by Global Warming – which has exactly as much validity as Schneier’s wonderings on Heartbleed. Conversely, NBA player LaBron James might've wondered if the NSA had something to do with Heartbleed, and he is every much qualified to wonder that as Bruce Schneier.

It’s not Schneier wondering here, but the paper’s author. She wants to make this accusation, so cites something as hard evidence that is bare innuendo. She’s using what looks like an “academic” type of citation but it’s really just a “conspiracy theory” citation. Seriously, the wackos claiming Bush was complicit in 9/11 have better standards than that. (That her advisors let her get away with this sort of nonsense citation shows how left-wing activism dominates good sense in academia).

There is a citation-inflation going on here. This paper cites Schneier's idle musing as support for her claims, and the next paper will cite this one as confirming “Experts believe the government knew ahead of time”.

That describes many of the citations in this paper. This paper places more confidence on claims than the original articles it cites. For example, this paper cites sources to claim that my company, Errata Security, is a “verified seller of 0day”. In fact, none of her sources make that claim -- that's her exaggerating what the sources did say.

In fact, there is no evidence that any particular 0day has ever been sold in this vast market everyone is talking about. I mean, with such a big market that everyone knows what’s going, I’d think you’d be able to name at least one sold 0day as evidence, such as a bill of sale of VUPEN selling CVE-2012-4167 to the NSA for $100,000. Yes, there is a lot of partial evidence hinting that something is going on, but not nearly enough evidence to paint the complete picture. And that's the problem I mention at the top of this post: people have created an exciting conspiracy theory that differs from the boring reality.

I write this because regulating 0day will have an enormous impact on civil liberties. Take, for example, “jailbreaking”. Companies like Apple sell us phones that are locked down, controlled by Apple and the phone companies, and not controlled by us. Taking control of the phone is called "jailbreaking", and it's illegal in many countries (including this one, technically). That’s Orwellian, as in the book 1984 where TV’s spied on their owners and it was illegal to turn them off. Every time Apple releases an update, the jailbreaking community rushes to find an 0day to jailbreak the phone, giving control back to their owners, allowing owners to turn off the features Apple and the phone companies use to spy on them. These same 0days are also sold to the NSA so they can spy on people. This conspiracy-theory lead crackdown on 0day will do nothing to stop the NSA, but will do everything to take them out of the hands of we the people. Far from believing in these disastrous conspiracy theories, our our community should be standing up for our 0day rights.

(Note: I expect to be updating this post soon by somebody citing an actual bill of sale from somebody, thus disproving my assertion that such things don't exist. It's just that I know a lot about this topic, and I've never come across any public information like this).

(Also note: Before commenting on this post, please pay attention to what I wrote, and not what you think I meant.)


Kevin said...

somebody citing an actual bill of sale

I don't know if Charlie Miller can be called "somebody", but it shows an evidence of it in 2007: with a scan of a 50000$ check.

Ivo Blaauw said...

"pay attention to what I wrote, and not what you think I meant"
So you think I'm FAT, Rob. That it?

Backrow said...

Why would there be any public information about the sale of what amounts to weapons?

Even if you sold 0days to the govt, Rob, you know full well that there would be NDAs or even classification of the deal.

This article seems like deflection

Zac said...

So you are saying that the aliens are hiding their 0day sales to the NSA after taking over Area 51?

Jennifer Granick said...

I think you misread the paper. She cites Heartbleed and the public musings about govt complicity in it to explain why the Obama Administration felt the need to go public with its 0day disclosure policy, and not because she thinks the govt was involved/knowledgeable. *Sigh*.

Will Hogan said...

I thought Google pays a stipend to coders who find vulnerabilities in their code. I thought they even had an annual conference celebrating it.